Ganymede ACS 5.4 asr 9001 authorization
Hello
If anyone can help with Ganymede attributes users authoriezed on cisco asr 9001 (ios/xr)
Thank you
Yoram
You should know the command you are trying to emit belogns to which task.
Then you know that the task is mentioned according to which task group.
Visit this link to know how to perform the above:
https://supportforums.Cisco.com/docs/doc-15944
Then, you must configure the GANYMEDE server + to return the attribute that puts the task under the privilege of the user:
See here: http://goo.gl/7YP5zu
I use the following command on the ACS server in the config of user group (we have version 4.2):
task = #cisco - support, rwx:admin, #root - system
This will be the user inherit the read, write and execute access to the 'admin' task and will put the user in the local (locally defined on the router) 'cisco-support' and 'root-system' users groups.
NOTE: we did two things at the top. inherits access to the task AND put the user in the context of local groups selected. I don't know if it can be used without the other.
HTH
Amjad
Rating of useful answers is more useful to say "thank you".
Tags: Cisco Security
Similar Questions
-
ASR 9001 BFD and BVI/subinterface
Hello
I would like to run BFD to my neighbor who is an ASR920.
The ASR 9001 looks BFD will not work on the BVI interface so I tried to configure subinterfaces.
But ASR 9001 does not support of vlan native 920 ASR must be able to talk to in CMHTs!Any suggestions?
Thank you
/ DanielDaniel,
BFD is supported on IRB/BVI in 5.1.3 +, you may be running an older version?
Concerning
Eddie.
-
How to stop the Radius/Ganymede ACS 5.2?
Hi, is it possible to stop the Radius/Ganymede ACS 5.2 from the GUI?
The command line, you can stop the ACS instance itself - but I don't think you can even components. It simulate an instance ACS failed.
I think that his:
request stop acs
or
judgment of the ACS
To start, it's the same thing with the start of keyword.
-
Hello
We install a new asr 9001 but every time us recharge, he ask us to enter a new password of root-system.
any idea why?
Thus, the admin config or the normal config are getting saved properly.
I recommend 2 steps:
1 - Check the
IOX_ADMIN_CONFIG_FILE=
IOX_CONFIG_FILE=
Variable on the command "set" rommon mode gives you all of the variables, check that they have a valid path/file
2 - follow the XR - IOS install guide to initialize all devices and services (you can find the installation on the Cisco documentation guide)
-
Problem with GANYMEDE + (ACS) and cat 2950
I have configured the 2950 as below and properly configured ACS and I can connect to the 2950 using this configuration, the problem lies after that I go to enable and try any command, I get approval to next error command failed.
What I missed out the config that will allow me to execute commands?
AAA new-model
AAA authentication login default group Ganymede + local
AAA authorization exec default group Ganymede + local authenticated by FIS
AAA authorization commands 15 default group Ganymede + authenticated if
AAA authorization network default group Ganymede + local authenticated by FIS
AAA accounting exec default start-stop Ganymede group.
orders accounting AAA 15 by default start-stop Ganymede group.
AAA accounting network default start-stop Ganymede group.
GANYMEDE server host ***. ***
radius-server key 7 *.
Thanks in advance.
Jon
Hi Jon,
AAA of the switch seems ok, maybe you need to take a look at your ACS.
Check the following information, where you have to apply it in your ACS config:
Rgds,
AK
-
Offering personalized with GANYMEDE + (ACS 5.4) - NX - OS RBAC limited access
Hello
I created the RBAC personalized depending on NX - OS.
Role: Limited_Admin
11 denies config t command. mgmt interface 0
10 permit command read
9 permit config t command. interface *; *
8 allow the copy running-config startup-config command
7 permits ping command *.
6 allow the traceroute command *.
I created a profile Shell with the following attributes that place the user in the role of Limited_Admin and that mapped to the rule of authorization policy.
Cicso-av-pair attribute
Mandatory requirement
Shell: roles of value = "Limited_Admin".
When I connect with the Test account - I get mapped to the custom role as shown below but I have priv 15.
user: testrbac
roles: Limited_Admin
account created through the REMOTE authentication
Credentials such as ssh server key will be cached only temporarily for this user account
Local login is not possible
Any help is greatly appreciated. I had this working perfectly on the 4.2. but unable to make the rules work at 5.4.
Configuration of the AAA Nexus:
radius-server key *.
source-interface IP Ganymede mgmt0
RADIUS-server host x.x.x.x
AAA group Ganymede Server + ACS SERVERS
Server x.x.x.x
the vrf use management
AAA group Ganymede Server + ACS SERVERS
AAA authentication login default group ACS-SERVERS
AAA authentication local console connection
Default accounting AAA group ACS-SERVERS
AAA authentication login error-enable
I saw it and that's what I wanted to see and use it as a syntax/format on nx under role
ike this
Role: Limited_Admin
11 deny command configure terminal ; interface mgmt0
However I think you tried and confirmed that it didn't ' work so I started to think it might be a bug in the Os. Glad it works for you.
Jousset
* Note help messages *.Sent by Cisco Support technique Android app
-
ACS 5.2 assignment of authorization with nested groups in LDAP
I have a Cisco Secure ACS 5.2 on a virtual machine. We use it for administrative access to our equipment Cisco GANYMEDE +. I use LDAP to authenticate with acitive directory. I currently run when a user is directly in the group that is assigned. I change the way in which assign us group permissions and have created nested groups.
For example:
-User1 is a member of group1
g -roup1 is a member of the "Group 2".
I have card group2 to have access to my devices. However, User1 is not get mapped to the Group of law and access is denied.
When I go to the monitoring, reporting and authentication GANYMEDE + details, under other attributes where it shows the outside groups the user is a member, I don't see group2, only group1.
However when User1 is a member of group2 directly, the user is able to log on.
GBA 5.2 not does support permissions allow this how to use nested groups?
Mapping of nested groups is not supported by LDAP (because users containing that attribute memberOf groups just above them, are not nested). It is a behavior deafult when we use nested with LDAP groups. You must add subgroups for GBA and both respective authorization rules.
Kind regards
Jousset
The rate of useful messages-
-
Cisco ACS 5.2 authentication and authorization processes
I am designing a network and I asked me a few questions that I don't know how respond to those so I thought putting it in the forum to see if I can get help.
First, thank you very much for reading this post and thank you if you can add comments to help out me.
installation program:
Two ACS on each center data in Server and application to the switches by dc + hybrid mode the Ganymede and fold to the other on the failure scenario.
ACS - version 5.2 planning upgrade to 5.8, if she is stable.
Result of the will
If users fails authentication AD then it should be rejected.
If defective AD on ACS and ACS needs to check the other ACS and other ACS has connection AD, then it should demand more diver ACS...
I'm sure it is not possible, but that it was the main application... I disputed so now the new request
If AD fails ACS should fall back to the local database. If the local database is not authenticte then it should allow to switch to interrogate the same request of ACS secondary rather then to reject the application.
Litt: local database is reserved for the network admin but maybe some contractor need to access switches and other devices and they will have the entry in listing so if fails AD, they can always authenticates agaist DC2 AD via DC2 ACS.
I think to set up
Authentication rule 1 - authenticate again AD,
If authentication failed - Reject
If usernot has been found - reject
If the process failed - continue
This should take by default which will be the internal database.
If authentication failed - Reject
If the user has not found - drop
If the process failed - drop
This should give no answer to switch and then switch should try the second radius server in the list...
Please someone explain this flow chart for me... and it's correct assumptions...
I would like to know if there are a few good diagram that I can refer to see the whole process and can use in my presentation...
Thank you very much for reading and you answer it...
Hello
I'm not sure I get your question, but I will try to answer in the way that I understood.
If you send a drop as a result, this means that ACS deposited the request, causing the AAA client to try again another failure on toward another AAA server.
A tree had fallen on the community a few years ago:
(https://supportforums.cisco.com/discussion/11811801/aaa-servers#3931298)
I hope that's what you are pregnant.
-
Problem of GANYMEDE ACS 4.2 NDG and shell permission sets
Hi all
I am trying to solve this problem without success so far. I have fresh GBA 4.2.15 patch 5 ACS installation and I am tryng to deploy to our environment. So I configured a 2960 S to be my test client and everything works well. Problem is when I try to create strategies to fine grains using groups of network devices and shell permission sets.
I created called ReadOnly and FullAccess authorization of shell games. I also created NDG called FloorSwitches and added my 2960. I have 2 groups of users called FloorSwitchesReadOnly and FloorSwithcesFullAccess. Now, if I have set up a FloorSwitchesFullAccess group and assign the set of permission controls Shell by NDG and then log in to the switch, all my orders are rejected as unauthorized.
One thing I noticed, is that if I give the command shell permission set it to any device (in the settings of user group) works fine. Or if I create binding with DEFAULT NDG to the Group of users that works too. My conclusion is therefore that the ACS for some reason any does not associate my passage to correct group but is instead the DEFAULT group for some reason any.
Someone at - it had the similar problem, or is there something I'm doing wrong? Is there another way to achieve such a thing without use of NDG?
Thank you all...
Please upgrade to patch 6, there is a bug in the patch 5 and you can see the release notes or the Readme for more information.
Which is the user setting on while you test command authorization, do you have it set on the group setting?
Thank you
Tarik Admani
-
With Ganymede ACS authentication problem
My organization was using ACS with AD to authenticate users for access to network devices.
But lately, it does not work. There has been no known changes.
Can anyone help point the possible problems or links to see how the actual configuration of the CSA to be or look like for that to work.
My apologies if this is naïve question, am not not so easy with ACS.
Thank you!
Hello
There are two ways to correct the message 'windows dialin permission required. You can either add permissions to call on the user accounts on your database of Windows, or you can remove the option "Require Dialin permissions" ACS. To do this, go to "External user databases" and select "Database Configuration". Then go in your database of Windows and click "configure". The first option is a
box that gives you the opportunity to "make sure that grant dialin permission is checked.
Checking this box will cause the error you get if your windows users do not have permissions to call. If you uncheck this box, it must clarify this.
HTH
JK
-
ASR 9001 built in ports can support the Twinax cables?
Hello
Can of ASR9001 built in ports support 10Gig using Twinax connection cables:
SFP-H10GB-CU3M, 5 M, 7 M and 10 M?
Thank you!
-Mazzy
We support only the active cable not the cables (passive) CU ACU.
Support came in 5.1.1
Thank you
Sam
-
No report of Directors GANYMEDE + after upgrading to 4.1 ACS
Hello
I was running ACS 4.0 demo version. Everything worked very well.
After the upgrade, and keep the old configuration, I can't see logs in the reports of the directors of GANYMEDE. I kept the configurations of the router and get the same thing, so I think that the problem lies in the ACS software.
I tested a few debug, and it seems that the router sends the command that is typed to the ACS.
Here is the config I have? m using:
AAA new-model
GANYMEDE-Server 192.168.X.X XXXXXXXXXXX host key
AAA authentication telnet connection group Ganymede + activate
enable console AAA authentication login
the AAA authentication enable default group Ganymede + activate
AAA accounting send stop-record an authentication failure
AAA accounting exec default start-stop Ganymede group.
orders accounting AAA 1 by default start-stop Ganymede group.
orders accounting AAA 15 by default start-stop Ganymede group.
AAA accounting arrhythmic telnet connection group Ganymede +.
Line con 0
exec authorization no.-AUTH
console login authentication
line vty 0 4
exec authorization AUTH
authentication telnet connection
AUTH AAA authorization exec group Ganymede + none
AAA authorization config-commands
No.-AUTH AAA authorization exec no
AAA authorization commands 0 default group Ganymede + none
1 default AAA authorization commands group Ganymede + none
default 15 AAA authorization commands group Ganymede + none
Hello
It is a known issue, you must apply the hotfix ACS 4.1.1.23.5 to solve the problem.
Patch for the unit is available on
http://www.Cisco.com/cgi-bin/tablebuild.pl/ACS-Soleng-3DES
The patch name: ACS SE 4.1.1.23.5 rollup
Patch for windows acs is available on
http://www.Cisco.com/cgi-bin/tablebuild.pl/ACS-win-3DES
The patch name: ACS 4.1.1.23.5 rollup
That should solve the problem
Kind regards
Jagdeep
Note: If this answers your question, then please mark this thread as solved, so that others can benefit from.
-
AAA GANYMEDE + accounting - CLI question by user not appear in the report of the ACS.
Can I know why CLI cancelled by the user does not show on GANYMEDE ACS accounting report. The length of time is displayed, but I also wanted to connect what is the commands issued by the user.
WHA is missing here?
enable AAA authentication login VTY P1_ACS local group
Group default AAA authorization exec local P1_ACS authenticated by FIS
AAA authorization exec CONSOLE none
AAA exec by default start-stop accounting P1_ACS group
AAA commands 5 default start-stop accounting P1_ACS group
AAA commands 15 arrhythmic default accounting P1_ACS group
Accounting logs command is stroed in the newspapers of the administration of Ganymede.
There is also a known issue on ver 4.1.1 and we must
apply the ACS 4.1.1.23.5 patch to fix the problem.
Patch for the unit is available on
http://www.Cisco.com/cgi-bin/tablebuild.pl/ACS-Soleng-3DES
The patch name: ACS SE 4.1.1.23.5 rollup
Acs hotfix for windows is available on
http://www.Cisco.com/cgi-bin/tablebuild.pl/ACS-win-3DES
The patch name: ACS 4.1.1.23.5 rollup
CCIE Security
-
Nexus, authorization to order with GANYMEDE.
Hello.
Can anyone provide an example of configuration to use Cisco Secure ACS 4.2 to enable permission to order with GANYMEDE.
Thank you.
Kind regards.
Andrea
Hello Andrea,
We moved to GBA 5.3 now - but we had our 5520 Nexus running against our old 4.2 ACS before this - so I chose the relevant bits of the config below:
username admin password network-admin role; user local administrator
feature Ganymede +; turn on Ganymede
radius-server host key; set the key for RADIUS server
AAA server Ganymede group + Ganymede; create the group called "Ganymede".
Server; set the IP address of the RADIUS server
the vrf use management; tell him to use the default 'management' vrf to send queries for Ganymede
source-interface mgmt0;... .and send mgmt interfaceAAA authentication login default group Ganymede; Use Ganymede for auth login
AAA authentication login console Group Ganymede; Use Ganymede for auth login console
AAA authorization config-commands by default local group Ganymede; use Ganymede for permission to config command
AAA authorization by default Ganymede local group orders; use Ganymede for normal control authorization
Default accounting AAA group Ganymede; Send documents to GanymedeI hope that works for you!
(This may change a bit, when you move to ACS 5.x - that we chose not to do complex auth command (using only shell profiles) to remedy this you go back as a nexus for the 5 k - and it makes the command auth (operator network vs network-admin) based on the one - if you just do not configure authorization to order aaa on the 5 k)
Rob...
-
authorization GANYMEDE +.
I can't control aaa authorization using win2k Ganymede +. I have the following commands on my router:
AAA new-model
AAA server Ganymede group + ciscosecure
AAA authorization config-commands
AAA authorization exec ciscosecure Ganymede group.
AAA authorization network group Ganymede ciscosecure +.
If the authentication that's good, I can even time of day login control. only permission issues, I need to define groups for users to belong
Thank you
Francis
Hello Francois,.
You must add the following line/lines for authorization on the router-
AAA authorization commands default Ganymede group 0 +.
AAA authorization commands by default 1 group Ganymede +.
AAA authorization commands by default 15 group Ganymede +.
Thank you
Renault
Maybe you are looking for
-
How will I know if an update of firefox just Mozilla?
I got a message saying there was an update of Firefox, and begun downloaded it but not install it. When the user account control window pops up asking if I want to run it, the Publisher is 'unknown' - that is why I ask you, is this really an update o
-
Under the option bookmark organizing appears no bookmarks, new computer Firefox 4.0 and Windows 7, how to show, thank you
-
SPI 8451 - in script mode. When stops in VI?
Hello I use the pilots to control the area 8451 in script mode. My question concerns the situation when I send the script to the SPI to run box. When the VI will come out? At the present time, the script is sent to the box or when at the moment is se
-
DigitalChangeDetection not triggered
Hello I am developing an application that uses the DAQmx 8.8 with c# library. I have a card OR PC-6514 emulated on my PC. I just want to be able to detect a change of State in one of my card's digital input lines. There's my code (based on the exampl
-
Message Windows to restore in the minimized state bar panel.
Are there messages that appear when a window is restored from the State, other than the 'Got Focus' message (for the recall of the main table)? I need to know when a group of experts has been restored to the State of minized (the user has clicked the